kaiten | d2e2fd9bcb3ba0416e9f057c3b09c8470d51634fc6ab0414611ba27ac7e98e2d

Analysis

max time kernel
43s
max time network
151s
platform
debian-9_mips
resource
debian9-mipsbe-20231215-en
resource tags

arch:mipsimage:debian9-mipsbe-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
22-12-2023 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

inst
Size

732B
MD5

56a30205ea23a457ff2af18a76cd521c
SHA1

a2007725d6a3e6b2a1b6dfed6a9a735ac66a7606
SHA256

d1469b9971ed7346f21104b2044feb538a5206e55bdbc60b641c9d8ca11ab851
SHA512

7f44fbe568895c25fc63577aad7c5b1208226a42949e71a770b10a7f780ebe431d69182600fe190da6444554b29397168e6b51b815b1161febe5b8fe7269073b

Score

10^/10

kaiten botnet persistence

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 4 IoCs

resource	yara_rule
behavioral4/files/fstream-6.dat	family_kaiten2
behavioral4/files/fstream-8.dat	family_kaiten2
behavioral4/files/fstream-14.dat	family_kaiten2
behavioral4/files/fstream-15.dat	family_kaiten2

Detects Kaiten/Tsunami payload 3 IoCs

resource	yara_rule
behavioral4/files/fstream-8.dat	family_kaiten
behavioral4/files/fstream-14.dat	family_kaiten
behavioral4/files/fstream-15.dat	family_kaiten

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.xAMhjs	crontab

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	id

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/cciJHHnO.res	gcc
File opened for modification	/tmp/ccK4DIRO.o	collect2
File opened for modification	/tmp/httpds	ld
File opened for modification	/tmp/saveds	Process not Found
File opened for modification	/tmp/ccpMlAX1.s	gcc
File opened for modification	/tmp/ccgtz5MD.o	as
File opened for modification	/tmp/ccoZFwtu.c	collect2
File opened for modification	/tmp/ccgNr2c8.ld	collect2
File opened for modification	/tmp/ccykhoer.le	collect2
File opened for modification	/tmp/saveds	inst
File opened for modification	/tmp/ccpMlAX1.s	cc1
File opened for modification	/tmp/ccgtz5MD.o	gcc

/tmp/inst
/tmp/inst
1⤵
- Writes file to tmp directory
PID:704
- /usr/bin/id
  id -u
  2⤵
  - Reads runtime system information
  PID:706
- /bin/mkdir
  mkdir /etc/-lib
  2⤵
  - Reads runtime system information
  PID:709
- /bin/chmod
  chmod u+x /etc/-lib/httpd
  2⤵
  PID:712
- /usr/bin/chattr
  chattr +ais /etc/-lib/httpd
  2⤵
  PID:716
- /usr/bin/crontab
  crontab -l
  2⤵
  - Reads runtime system information
  PID:717
- /bin/grep
  grep -vi /etc/-lib/httpd
  2⤵
  PID:718
- /usr/bin/crontab
  crontab saveds
  2⤵
  - Creates/modifies Cron job
  - Reads runtime system information
  PID:719
- /bin/rm
  rm -rf saveds
  2⤵
  PID:722
- /usr/bin/gcc
  gcc httpds.c -o httpds
  2⤵
  - Writes file to tmp directory
  PID:723
- - /usr/lib/gcc/mips-linux-gnu/6/cc1
    /usr/lib/gcc/mips-linux-gnu/6/cc1 -quiet -imultiarch mips-linux-gnu httpds.c -meb -quiet -dumpbase httpds.c "-march=mips32r2" -mfpxx -mllsc -mno-lxc1-sxc1 -mips32r2 "-mabi=32" -auxbase httpds -o /tmp/ccpMlAX1.s
    3⤵
    - Writes file to tmp directory
    PID:725
- - /usr/local/sbin/as
    as -EB -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccgtz5MD.o /tmp/ccpMlAX1.s
    3⤵
    PID:737
- - /usr/local/bin/as
    as -EB -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccgtz5MD.o /tmp/ccpMlAX1.s
    3⤵
    PID:737
- - /usr/sbin/as
    as -EB -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccgtz5MD.o /tmp/ccpMlAX1.s
    3⤵
    PID:737
- - /usr/bin/as
    as -EB -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccgtz5MD.o /tmp/ccpMlAX1.s
    3⤵
    - Writes file to tmp directory
    PID:737
- - /usr/lib/gcc/mips-linux-gnu/6/collect2
    /usr/lib/gcc/mips-linux-gnu/6/collect2 -plugin /usr/lib/gcc/mips-linux-gnu/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/mips-linux-gnu/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cciJHHnO.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -EB -mips32r2 -dynamic-linker /lib/ld.so.1 -melf32btsmip -pie -o httpds /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/Scrt1.o /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/crti.o /usr/lib/gcc/mips-linux-gnu/6/crtbeginS.o -L/usr/lib/gcc/mips-linux-gnu/6 -L/usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu -L/usr/lib/gcc/mips-linux-gnu/6/../../../../lib -L/lib/mips-linux-gnu -L/lib/../lib -L/usr/lib/mips-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/mips-linux-gnu/6/../../.. /tmp/ccgtz5MD.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/mips-linux-gnu/6/crtendS.o /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/crtn.o
    3⤵
    - Writes file to tmp directory
    PID:741
  - - /usr/bin/ld
      /usr/bin/ld -plugin /usr/lib/gcc/mips-linux-gnu/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/mips-linux-gnu/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cciJHHnO.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -EB -mips32r2 -dynamic-linker /lib/ld.so.1 -melf32btsmip -pie -o httpds /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/Scrt1.o /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/crti.o /usr/lib/gcc/mips-linux-gnu/6/crtbeginS.o -L/usr/lib/gcc/mips-linux-gnu/6 -L/usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu -L/usr/lib/gcc/mips-linux-gnu/6/../../../../lib -L/lib/mips-linux-gnu -L/lib/../lib -L/usr/lib/mips-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/mips-linux-gnu/6/../../.. /tmp/ccgtz5MD.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/mips-linux-gnu/6/crtendS.o /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/crtn.o
      4⤵
      Writes file to tmp directory
      PID:743
- /bin/cp
  cp httpds /etc/-lib/
  2⤵
  - Reads runtime system information
  PID:748
- /bin/chmod
  chmod u+x /etc/-lib/httpds
  2⤵
  PID:750
- /usr/bin/chattr
  chattr +ais /etc/-lib/httpds
  2⤵
  PID:751
- /bin/rm
  rm -rf ./httpds ./httpds.c ./inst
  2⤵
  PID:753

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/-lib/httpd

Filesize
163B

MD5
f74bebdcbf28f62cbca5043ccd4e3771

SHA1
398f13629a640ec98b2f3ee67cdc22b3eb5b487b

SHA256
cef7615f1d3fa6421a00ec39346bcca19c9cd3d777153e982c9237b46c9ddbaa

SHA512
de6b896fdc40bff0c2f3557490719ba4c0bf100d7ac15769a9afbf8bbf2dbcbb791c7b261a4e5bd8c9dc89a7b222d78d2abe1c8236e8adf663a95f28efd22b68

Download Submit
/etc/-lib/httpds

Filesize
42KB

MD5
7b3111c3c2d4993d722db781de3cb1d9

SHA1
335a487d1b887283798cd003017113bf216ac588

SHA256
c3224cf64cc6e14241d22c3a3366a1f1922996e05c5d4574913d6a504387599c

SHA512
1ce406d7c76f9f3b89acbd9a10bf7c0a0aaf853db0bc8502f4f4fce58e50bd06234788082397124bcc1b214a9c9b39ba4b04ffa64a95baefd75ebdb1188207fc

Download Submit
/tmp/ccgtz5MD.o

Filesize
41KB

MD5
3f951602190fda23b8b2100b6b6db8ac

SHA1
6d7d5c8fdd3f55b5b6947d7e884c0129a0d8f221

SHA256
83857d36aa5f37d5edb6f9a3bf3d52e381bfb51e005450b008aca51097531963

SHA512
2c557de95c970b54a8c5593c954f6ccb65b1739d68a46d692f5b2f6ce2bd9b2f47fc4e8a4f3d2e8f33980e449235dfa71d7523b02b7bf34127c9574a566b0e77

Download Submit
/tmp/ccpMlAX1.s

Filesize
20KB

MD5
0a97127c20716877b46f68066c7bdeb6

SHA1
14a42bab8c8a684425921738ccd288b84c62e419

SHA256
133f86ab61197813c02171d517e5075aa290c75ab4d1ce4070f5bdeea6b56777

SHA512
db214fa5555b4b2c28c918e01880fc1db2431c710e333fb0bb5c12c2f160a179ecbedc79e041ff5ac86936c575f781c2b9c956a3dce26da25d734d6f8bab2af7

Download Submit
/tmp/httpds

Filesize
42KB

MD5
df6fe4da9a26c180a114c7ea5369b05b

SHA1
83afc0474313ec6fcd226e4d477fd91fe8fdeec3

SHA256
6ac846b9abe9c5463939f045f165be78b8de37e89799bc2b621a55330752f7b7

SHA512
b0f179b99fc4f8140c76d992414b4f6e47198cb1ef1f5e08166ad495fc7ed0cc54ea4e3a45d8fddb7b6a1956c8fd1f38deaeae0fe1539574be4b1851abfec239

Download Submit
/tmp/saveds

Filesize
42B

MD5
6c8eb055c0fd33626d89304ea6591bd0

SHA1
d51eb12a8891939217e1e867ba114ddfe940b9ed

SHA256
4212867a0307d9fcc05f966ae12f5280bb2b6f70c39b2d533663ad76a1c5aaf8

SHA512
a9d702ccb477fe1ddda484a05bf0150025e979855c03b200e4d62048d23780f256595917767071a62e961e9a926875724031a411597f2d788798d58bd9f78321

Download Submit
/var/spool/cron/crontabs/tmp.xAMhjs

Filesize
222B

MD5
7393b95578462d3a30ff3e4bd8d1bfc7

SHA1
aac7e4545076b4e6b4f87ff057269705434461e3

SHA256
0a85f0d828a55d5c103396b77b7438c1655edc4bfaf6d5590a7b477ab092191d

SHA512
95a03c2d3a334e50907c22e647ebe92778a94c20e074f114372f673f43b7988548bf8ec71a111ac26a770db28b814308ef65df0a19615eb54637a921166ea303

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads